·

audit_add_rule_data (3) Linux Manual Page

ByLinux Manual Posted on

audit_add_rule_data – Add new audit rule

Synopsis

#include <libaudit.h>

int audit_add_rule_data (int fd, struct audit_rule_data *rule, int flags, int action);

Description

audit_add_rule adds an audit rule previously constructed with audit_rule_fieldpair_data(3) to one of several kernel event filters. The filter is specified by the flags argument. Possible values for flags are:


AUDIT_FILTER_USER – Apply rule to userspace generated messages.

AUDIT_FILTER_TASK – Apply rule at task creation (not syscall).

AUDIT_FILTER_EXIT – Apply rule at syscall exit.

AUDIT_FILTER_TYPE – Apply rule at audit_log_start.

The rule’s action has two possible values:


AUDIT_NEVER – Do not build context if rule matches.

AUDIT_ALWAYS – Generate audit record if rule matches.

Return Value

The return value is <= 0 on error, otherwise it is the netlink sequence id number. This function can have any error that sendto would encounter.

See Also

audit_rule_fieldpair_data(3), audit_delete_rule_data(3), auditctl(8).

Author

Steve Grubb.

Leave a Reply

Your email address will not be published. Required fields are marked *